The XML standard defines a concept of an external general parsed entity (also shortened to external entity) that can access local or remote content via a declared system identifier. During XML parsing, the XML processor will replace such entities with the content referenced by them.

The following XML makes reference to the acunetixent external entity and this entity should be replaced with the content of the local file /etc/passwd.

As you can see from this example, if enabled, external entities can pose a very big security risk because an attacker can access local files. The risk however, is not limited to accessing local files. External entities can be defined to access various hosts from the internal network or from the internet. XML External Entity is a subset of Server Side Request Forgery (SSRF) attacks and includes all the risks associated with these attacks.

The Billion Laughs Denial-of–Service (DoS) attack consists of defining 10 entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity.

The test is made by defining an external entity that references the AcuMonitor domain and by testing if such request was made. Using AcuMonitor, it can detect all XXE variants including the ones that are not echoed back into the response.